Re: Controlling access to pdf/doc files

[Mark Curphey <mark () curphey com>]

Why does it need to be a file ?

I would approach this by storing the data in an object and streaming it to the browser after having made an 
authorization check. Check the session context, call the method and read the data from the users object. Then  stream 
it to the browser. No need to cache it in a file. Bad for performance and security. 

As always designing better solutions is cheaper than fixing bad ones ;-)

---- Sangita Pakala <sangita.pakala () paladion net> wrote:
> Hi,
>
> Could I have the list's thoughts on an answer we are preparing for the
> next version of the AppSec FAQ at OWASP.
>  
> Question - How can I ensure my application allows only authenticated
> users access to files like *.pdf or *.doc?
>
> Issue - Suppose a web site, say a bank site, displays the user's account
> statement as a .doc file. What if someone tries to access this file by
> typing its full URL into the address bar? How does the application check
> whether the user trying to access the file is the authenticated user and
> that the session has not expired? 
>
> Solution - One solution is to have a random number for the name of the
> file or the folder containing it. This random number could even be
> related to the session token of the user. This file/folder should then
> be deleted as soon as the user's session has expired.
>
> Are there better methods available to address this issue? Can the web
> server run a server side program to verify the session token before
> serving the final GET request for the file? 
>
>
> Thanks,
> Sangita.
>
> OWASP AppSec FAQ
> http://www.owasp.org/documentation/appsecfaq
>
> Paladion Networks
> http://www.paladion.net